Encryption - What is it and why is it important?

The news has been filled with cases of universities, corporations, and government entities inadvertently releasing sensitive data or storing it in insecure ways. House Bill 104, recently passed by the Ohio General Assembly, requires notification of all individuals of any breach in data security that might result in their identities being stolen.

So, what can you do to protect data that you have in your possession?

First, let's start with some possible sensitive data you might have and how you can protect it and yourself. Sensitive data about you, students, faculty members, and research participants can live anywhere that you store digital information including a desktop computer, a laptop, a PDA, or a flash drive.

For example, exposing research participants' Social Security Numbers could have huge implications for current and future funding. Student data (grades, SSNs, etc.) also needs to be protected and treated as sensitive data. While it's convenient to copy files onto portable/mobile devices and media, what information do you really need to be with you at all times? Theft of portable devices is a very serious problem and having data stolen is becoming a large problem too.

What is Encryption?

Encryption is a means to encode data. The purpose of encryption is concealment, or more specifically, security and confidentiality. Things like digital signatures are often confused with encryption, but they are not concerned with concealment, rather they deal with integrity and authenticity, or more simply, verifying a sender and that the contents of a message have not been changed.

E-mail sent without encryption is like a postcard; others can see the contents if they use special tools to pry. With the use of encryption, only the recipient of the message can open and view the contents of the e-mail. It's like putting it in an envelope and sending it by registered mail. Data other than e-mail can also be stored encrypted so that others cannot easily see its contents.

Why should I care about Encryption?

Typically, encryption is not needed for standard, day-to-day activities. In order to determine if you have digital data that needs to be encrypted, here are some basic guidelines that can be used to determine if encryption is worth implementing. If you answer yes to any of these basic questions, then you should to consider using some form of encryption.

1. Is my data sensitive? If so, how? If your data contains information that is sensitive only to you, and its disclosure does not impact other people's privacy, then is it worth it to encrypt data? Conversely, if disclosure would impact other people's privacy, then you should definitely look at encryption. (HB 104 and University policy identify personal information as an individual's name in combination with the individual's social security number; driver's license or state identification card number; or account number or creditor debit card with security codes or passwords.)
2. Are there already safeguards in place to protect my data? If your data is not portable, nor publicly accessible, then physical compromise is likely the only real threat. Is this threat enough to warrant encryption of data? If your data is mobile (i.e. on a laptop), then physical theft or compromise is a very real concern.
3. Are there policies or laws currently in place governing the data you have (FERPA, HIPAA, University regulations)? If so, what are those requirements and have you made due diligence in meeting them?

How can I encrypt data?

There are so many different methods, standards, and algorithms used to encrypt data that their discussion falls well outside of this document. Instead, a couple of very basic methods should cover most needs. If you feel you need more, you can always contact the Service Desk for more detailed examination of your needs and recommendations for encryption.

E-mail - The most common method for encrypting e-mail is by using software like the GNU Privacy Guard (GnuPG, available at http://www.gnupg.org. GnuPG is free and works on most operating systems and hardware platforms. Setup and use of the program are very well-documented on the GnuPG website.

Hard Drive - Please remember that it is almost never a good idea to encrypt your entire hard drive. Rather, pick and choose which folders should be encrypted. Also be aware that if you cannot unlock the files due to a hard drive failure or other issue, this data may be lost. Caution: encryption uses keys, which, like passwords, can be lost or forgotten.

• PC - Windows XP supports file encryption natively, and you can pick and choose what parts of your hard drive to encrypt. A good step by step guide can be found at http://www.practicalpc.co.uk/computing/windows/xpencrypt1.htm.
• MAC - Mac OS X offers native file encryption as well through the use of FileVault. A good step by step guide can be found at http://www.apple.com/sg/macosx/features/filevault/.

Mobile Encryption

• Laptop - Products such as CyberAngel allow for a virtual disk to be created on your hard drive for encryption and require two-factor authentication (two types of passwords in most cases). These products also have the benefit of having additional features like "call home" where a stolen laptop will broadcast its location if stolen to help in its recovery. You can read more about it at http://www.thecyberangel.com.
• Phone/PDA - Downloading e-mail that has sensitive data is a concern
• Flash Drives - Some drives come with their own encryption software as an option

If you have any further questions, please contact the Service Desk.